It can appear cut-and-dry on the surface, but there are layers and complexities to buying SaaS applications. Among them are internal priorities, specifications, stakeholders, budgets, legal, contracts, and last but certainly not least, security.
Since SaaS security isn’t something we can physically see like we do a SaaS solution's functionality, cost, and contracts, it is easy to overlook. That is until there is a cybersecurity threat that creates a domino effect of not-so-great and potentially costly repercussions within your organization.
No pressure, but according to a Hacker News survey, 52% of respondents said checking and maintaining SaaS security is in the hands of the SaaS owner, or in other words, your company.
It is so vital that SaaS buyers take a proactive approach with application security. That’s why we’ve created a four-step SaaS security checklist to keep in your buying toolbox.
The first step in the SaaS security checklist is to assess your company’s security needs and security risk appetite.
If you’re lucky, your company’s IT team has defined SaaS policies and procedures. In that case, you’ll have information at your fingertips to review when needed, and there should be little to no gray area on what the security standards are.
But what if your company does not have those policies and procedures documented, and you’re unsure where to start? Then, IT’s involvement should begin at step one instead of step two.
There are some critical areas of security you’ll need to know. However, let me preface by saying that unless you’re a security professional who happens to be in a buying role, you are not expected to be the expert on any one of these things. As the SaaS buyer, though, you do need to be aware of them and have a general understanding of what they are.
The great thing about step one is that it isn’t something you’ll have to do every time you buy a SaaS product. Instead, you might want to set up a schedule with your internal security team to review these needs regularly, perhaps quarterly or yearly.
If you’re solid on step one, then you’ve likely already started a collaboration with IT Security. But if you haven’t and have already gotten two of your five SaaS buying “yeses” (department head and finance), now’s the time to get your third “yes” from security.
In a former role as a SaaS buyer, I found that a close relationship with all areas of IT was an integral part of the company’s SaaS success. The relationships meant that I knew who to call with security questions and ensured they were in the know and involved in any potential SaaS buying projects. When I led a request for proposal (RFP) or request for bid (RFQ) process, someone from the Security area was always on the stakeholder committee.
Security collaboration is important because it gives an additional layer of security protection for SaaS buying, but it also gives your tech teams a chance to plan resources appropriately for any SaaS implementation and deployment requirements.
And, perhaps just as compelling to us buyers, your IT teams will get so familiar with your involvement that if they are made aware of a SaaS application need before you, they’ll return the favor and make sure you’re a part of the process early on. It’s a win-win.
Step three of the SaaS security checklist is to get a risk and security questionnaire filled out by each potential SaaS provider. Of course, not every SaaS project will be the same. In fact, few will be. But one thing that should be steadfast — no matter the product or the buying process — is the company’s risk and security assessment questionnaire.
The questionnaire is something you’ll work with Security to create and will be a (likely extensive) list of cybersecurity-related questions for each potential SaaS provider. The questionnaire may need to be modified from product to product, depending on the intended use and the data that it will store.
A SaaS supplier may not have security policies that meet every one of your internal security requirements, but this questionnaire allows your company to review its security best practices at a higher level.
Also, remember that the types of questions you need to ask may vary depending on the type of SaaS application you’re purchasing. In general, the SaaS security questionnaire can be a one-size-fits-all approach with a few potential tweaks. The supplier may include answers to some of these questions in their service level agreement (SLA), but it is perfectly OK to include them here, too.
So, what types of questions should be on your SaaS risk and cybersecurity questionnaire? We’ll touch on a few of the more common categories.
Asset management gets into the details of access controls within the application. For example, who has access to the system, how is the access controlled, and what method is used to verify credentials? These are essential asset management considerations.
Here are some common questions related to cloud application asset management you might include on your security questionnaire:
There is, at minimum, a one-way transfer of data in most SaaS products, but typically much more than that. Among that data may be end-user personally identifiable information (PII), financial data like bank account information, HIPAA information, and other types of sensitive data depending on the nature of your company.
The following are some data protection questions you may want to include on the security questionnaire:
When it comes to external security threats, network security controls are the first line of defense. Some common network-related questions to ask suppliers are:
Scalability is important because even if the company has no known intention of expanding its use of the SaaS product, the need may arise in the future.
Here are a couple of questions related to scalability you may ask potential suppliers:
SaaS buying companies care about downtime for obvious reasons. If we’re paying for a product, we want it to be reliable. But more than that, it is important to know what type of disaster recovery plans a SaaS supplier has in place to avoid data loss. Consider these reliability questions for your questionnaire:
If you’ve completed steps one through three of the SaaS security checklist, you’ve been pretty thorough, but don’t hang up your security hat quite yet. Regardless of what your company’s security plan is, it needs to be sustainable. This means periodic updates of the security and risk questionnaire. I found that coordinating this with contract renewal helped me not to forget it. Figure out a time that works for you and your SaaS supplier.
Here are some ways to keep a sustainable security plan:
At one time, on-premise applications where we managed security exclusively within our organizations were all we knew. By the late 1990s, SaaS entered the scene and created a more digitized world than most of us ever imagined.
SaaS and now SaaS cloud services have changed the game by allowing us the same and, in many cases, better functionality without the need for dedicated servers, internal security, and labor resources to install the physical software on user machines. This type of technology has given our organizations more efficiency, more robust compliance, better reporting capabilities, and more savings, all in real time.
SaaS products continue to expand, which means security issues will continue to change, and security measures of control must change with them. As SaaS buyers, our ability to flexibly adapt to the ever-changing security landscape is imperative to our company’s success. The SaaS security checklist is a fail-safe strategy to help ensure that success.
The latest news, technologies, and resources from our team.